List Info

Thread: a buildworld yeilds tcpdump oddness
a buildworld yeilds tcpdump oddness
country flaguser name
United Kingdom		 2008-05-01 21:05:37 
Hiya all!

   I'm fairly new to pf and have recently set up a firewall
using
it. After getting things up and running I decided to cvsup
and
buildworld 7.0-RELEASE branch. However odd things started
appaearing
with the output of tcpdump when the old 'tcpdump -n -e -ttt
-i pflog0" 
is used. Instead of the usual output I now get:

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture size 68 bytes
000000 rule 6/0(match): block in on re0: [|ip]
000058 rule 6/0(match): block in on re0: [|ip]
300. 033021 rule 6/0(match): block in on re0: [|ip]
000056 rule 6/0(match): block in on re0: [|ip]
368. 212637 rule 6/0(match): block in on re0: [|ip]
000059 rule 6/0(match): block in on re0: [|ip]

As you can see the actual traffic being blocked is not
"present",
so it's about as much use as Boris in a mayorial election
(as
I've no idea _what_ is being blocked).

Has anyone come across this before? Have I done something
dumb with my configs that have nuked the pflog0 output? 
Any ideas how I can kick this up the arse?

_Strangely_ a tcpdump of the /var/log/pflog yeilds the
expected
behaviour:

# tcpdump -n -e -ttt -r /var/log/pflog
reading from file /var/log/pflog, link-type PFLOG (OpenBSD
pflog file)
.
.
368. 212637 rule 6/0(match): block in on re0: 10.0.0.1.138
> 10.0.0.255.138: NBT UDP PACKET(138)
000059 rule 6/0(match): block in on re0: 10.0.0.1.138 >
10.0.0.255.138: NBT UDP PACKET(138)

I'm stumped :/

Cheers in advanced for any cl00 offered 

Regards

Drav.

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: a buildworld yeilds tcpdump oddness
user name
 2008-05-01 21:32:23 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drav Sloan <holbsreal-life.tm> wrote:
>
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog
file), capture size 68 bytes
> 000000 rule 6/0(match): block in on re0: [|ip]
> 000058 rule 6/0(match): block in on re0: [|ip]

When you see the [|xxx] syntax in tcpdump, that is its way
of telling
you that the packet you captured is truncated, and it cannot
show you
more information unless you capture a longer packet.

With recent changes to PF, the default capture size (68
bytes as seen
above) is insufficient.  Try adding "-s128" to
capture more of the
packets and you should see an improvement.

- -- 
David DeSimone == Network Admin == foxverio.net
"This email message is intended for the use of the
person to whom
 it has been sent, and may contain information that is
confidential
 or legally protected.  If you are not the intended
recipient or have
 received this message in error, you are not authorized to
copy, dis-
 tribute, or otherwise use this message or its attachments. 
Please
 notify the sender immediately by return e-mail and
permanently delete
 this message and any attachments.  Verio, Inc. makes no
warranty that
 this email is error or virus free.  Thank you." 
--Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFIGn02FSrKRjX5eCoRApFtAJ93pVFCdW2QJx2IDX3AXVZ6M4ZowQCe
MQxQ
PkQ0MEWSRSbRh8W2HSHXVXI=
=XsE3
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: a buildworld yeilds tcpdump oddness
country flaguser name
United Kingdom		 2008-05-01 21:45:15 
David DeSimone wrote:
> When you see the [|xxx] syntax in tcpdump, that is its
way of telling
> you that the packet you captured is truncated, and it
cannot show you
> more information unless you capture a longer packet.
> 
> With recent changes to PF, the default capture size (68
bytes as seen
> above) is insufficient.  Try adding "-s128"
to capture more of the
> packets and you should see an improvement.

Et volia! Been using tcpdump for years, never knew about
that one! 

Cheers Dave,

(and appologies for multiple post, I thought the first one
would
of been rejected given it's return address...)

Regards

Drav.
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )